What a mess: 247,000 computers infected worldwide. Bank of America's ATMs down. E-commerce Web sites unable to process online orders. Worse, police and fire districts unable to receive 911 calls. Even Microsoft was affected by the SQL Slammer worm, also known as Sapphire and Helkern, which broke out just over a week ago.

But despite the initial indignation and chest beating following the Code Red and Nimda attacks of 2001 (remember the joint Microsoft/FBI press conference?), the U.S. government still lacks a clear and coherent strategy for dealing with large-scale cyberattacks.

Given the distractions of a possible war in the Middle East and a massive relocation of federal IT staff to the Persian Gulf, I believe the United States is even more vulnerable to cyberattacks today than it was in 2001. If a worm more powerful than Slammer were to hit tomorrow, we'd be in trouble.

Weak worm
As it turned out, the Slammer attack was relatively benign. This worm did not, for example, take advantage of buffer overruns to run malicious code or damage files on infected machines as we've seen other viruses do. Nor did Slammer contain greetz (messages that hackers send to each other through worms) or political messages, for that matter.

Based on a denial-of-service vulnerability within Microsoft's SQL Resolution Service, Slammer sends data packets to vulnerable machines running SQL Server 2000. The keep-alive function in those infected machines then returns identical packets to the SQL server that sent them. In this way, Slammer tricks two SQL servers into an endless loop of meaningless packet exchanges--over and over again--and thus prevents them from performing their normal functions.

The worm also affects PCs running Microsoft Desktop Engine (MSDE) 2000 . MSDE can be found in Microsoft software development tools such as Visual Studio .Net, Office XP Developer Edition, and Microsoft Application Center 2000. A more complete list of vulnerable third-party software is available on SQLSecurity.com. Systems running these programs may experience unusual activity on UDP port 1434.

Consisting of a mere 376 bytes of code, Slammer was amazingly compact and no-nonsense. The Slammer code appears to have been distilled from a white paper (see the PDF version) written by David Litchfield of NGS Software that explained three SQL vulnerabilities. Litchfield's exploit has since appeared on malicious user Web sites and was most recently updated by Lion, the same hacker who created the Lion worm back in 2001.

Microsoft has had a patch for the vulnerability that Slammer exploits available since July 2002. However, many people apparently had not applied the patch or had applied it incorrectly. (The patch was unusually complex in that it required you to edit some files before applying the fix.) Ironically, just a few days before the attack, Microsoft released an easier-to-install service pack to resolve the problem.

Who's minding the store?
My question is : At the height of the attack, who was on guard to tell everyone how to deal with the crisis?

Not the U.S. government. During the early hours of the Slammer assault on Saturday, January 25, the National Infrastructure Protection Center (NIPC), currently part of the FBI but soon to be relocated to the new Department of Homeland Security, was strangely silent. The first reports issued to system administrators and the media came from two private companies: Internet Security Systems and Network Associates (which owns McAfee Security).

Turns out our top NIPC officials were AWOL when the worm hit. The afternoon before the attack, they were celebrating the creation of the Department of Homeland Security, so it wasn't until midday Saturday, when reports of Slammer had already begun to subside, that the NIPC issued its first alert.

Marcus Sachs, director of communication for the White House Office of Cyberspace Security, admitted that the timing was bad. But is there ever a good time for a worm to hit? Even less reassuring was when the president's No. 2 cybersecurity expert, Howard Schmidt, admitted his consternation over the ATM outages. I would hope that someone in his position would be aware of--and somewhat prepared for--this sort of attack.

The fact is that there's no one left in Washington to run the cybersecurity show. Last Tuesday, news broke that White House presidential cybersecurity adviser Richard Clarke will resign next month, after he completes the final National Strategy for Securing Cyberspace report. While his departure was rumored before Slammer, I found it curious that Clarke offered no comments during this mini digital Pearl Harbor. It took him until January 30--five days after Slammer appeared--to send out an e-mail message about the attack. In it, he called Slammer "a dumb worm that was easily and cheaply made...More sophisticated attacks against known vulnerabilities in cyberspace could be devastating."

Other federal cybersecurity leaders, such as former NIPC head Ron Dick, have already left the government to work in the private sector. And many rank-and-file IT professionals aren't in their government offices these days because they're being shipped off to the Persian Gulf.

No clear policy
To add to all this, the process the government set up last summer for disclosing software vulnerabilities is falling apart. NGS Software, which discovered the flaw exploited by Slammer, announced that it's no longer working with the nonprofit Computer Emergency Response Team Coordination Center (CERT-CC) at Carnegie Mellon University. Instead, NGS says it will work directly with the affected vendors to resolve vulnerabilities. Security experts have already started a letter-writing campaign to keep vulnerabilities public.

From the first large-scale Internet attack since the summer of 2001, I guess we've learned who's really protecting cyberspace: private companies such as Network Associates and ISS. Despite all its post-September 11 domestic-terrorism posturing, the U.S. government was out to lunch--or rather, dinner--when we really needed them.

Perhaps the Bush administration's latest effort to monitor the Net's health, the Global Early Warning Information System (GEWIS), will improve matters in the future. But given that Slammer was but a taste of the havoc virus writers could wreak on the Net, it's going to take a lot for the feds to regain the Internet community's trust, if indeed anyone trusted them on this issue before.

Do you trust the Department of Homeland Security to provide guidance during the next Internet security event? Why or why not? TalkBack to me!

Senior Associate Editor Robert Vamosi covers hoaxes, viruses, and security threats for CNET Reviews. Have a question for him? Let him know!